-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22_05.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-02-15 Credits: Fabien MAISONNETTE (Alstom) https://fr.linkedin.com/in/fabdotnet Affects: pfSense Plus software versions < 22.05 pfSense CE software versions <= 2.6.0 Corrected: 2022-04-14 13:36:43 UTC (pfSense Plus master) 2022-04-14 13:36:43 UTC (pfSense CE master) 2022-04-14 13:39:39 UTC (pfSense CE 2.6.0) 0. Revision History v1.0 2023-02-15 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in firewall_aliases.php, a component of the pfSense Plus and pfSense CE software GUI. This problem is present on pfSense Plus version 22.05, pfSense CE version 2.6.0, and earlier versions of both. The page did not sanitize the contents of URL Table Alias URL parameters nor did it encode the output when it included the value of that parameter in the page when viewing the list of aliases on the URL or All tabs, leading to a possible XSS. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 22.05 or later, or pfSense CE software versions after 2.6.0 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense CE version 2.6.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master ac6e07b50d1f72d689eee3ad16427c975482adc3 pfSense/master ac6e07b50d1f72d689eee3ad16427c975482adc3 pfSense/RELENG_2_6_0 528e53e8bb86642e38aa098226f5b74951d6a7bb - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmPr0sYACgkQE7mH/ZIU +NoMOhAArErwkT0QeMxGNqBY+IR3awOsgL0qAMcFvLj4Cg+DBSgxgezuvzztMYzz HtAQS7bl7LiTevbJztD7/yP1ldYgGKbRHNadjilh1RhWi896pbS0AqJ38P88jK5/ NFu4KdN7BgScdyGdBPDIPb9rTkvkYiAu0gSiYNFdxZnOfHqGvFO7JrY+XQcWFINS BVc45faKGlbXnLizfGEhV6l0ApXxsG3zYwhc3p8knfT9WxbXpSoUWZrShDLKSDRT W6Xep7ivM/tULIaKdFbj9ZKytdNXqMrMAIaqvh4+8gfP9Wy+nkBh+nprh2bd9qCq +asuI3qaHTisPxno3mSmmaacTTMDuAwQw3KjIkl5UCwTNODGRgtU96syFYj4Ydqi yWJid9l67iryb2kLaqMPACKwFZbrqJGmA7KDbQu/yRlKNBUacHV0PSf8D9fxjFSk BliwckFFpS1PLRnG2q18xHShONkRW+KtxZu7BuvFTr83KJU6XWsamJVH9U+zPhxC S8NNPxQUIck5IvcorIjjS8FufxOtKDhoDTDMsPs9O5Uv7Fw6FFZxLwgI3UmzM9q7 RzPuScIX4QS39dxf60qmeL+1DruqMtA8eL1XhlYQuFuSzMdcRu+pOGA5X6dtzMy3 OWgcpy2LMMo5skcNEVHAjHtGa5TIy4kUfIS9V/bTRU8qu6GaFtI= =/DvS -----END PGP SIGNATURE-----